Identity and Access Management (IAM) programs define standard controls to ensure endpoint systems are designed, configured, and managed to preserve the confidentiality, integrity, and availability of information. Most of these controls are recognized as good practice and require minimal effort to implement, if the IAM solution is built properly. Our implementations consistently highlight a need for organizations to pay greater attention to the security of their information systems, which begins with establishing a solid foundation.
The following terms are important to understand when designing and building an IAM solution.
- Attributes are the data elements that store information in a directory. Common attributes for an employee record are: first name, last name, UserID, department, manager, cost center, position, and email address.
- Audit Repository is a system that stores audit information on activities within the IDM solution. This repository can be a database or file system, but for security and compliance reasons is a separate component from the directory services layer of the solution.
- Authoritative Source is a managed repository of valid, trusted data that is recognized by the organization as definitive for a particular attribute or set of attributes for a user. Example: HR system (e.g., SAP, Workday, Lawson, Baan, and PeopleSoft) for user attributes such as the employee’s: first name, last name, manager, cost center, and location. Authoritative Source is synonymous with ‘System of Record’.
- Directory – A repository of information comprised of users and other objects (e.g., printers, servers) within the enterprise network. Note a directory can have different purposes, see definitions for ‘Identity Store’ and ‘Service Directory’ below.
- Endpoint – Managed system or application to which a user has been granted access that is connected to the Directory. Applications and other endpoint systems consume the data from the Identity Store or a Service Directory to manage users. Examples include: Unix Servers, SAP modules, Databases (Oracle, SQL, MySQL)
- Group – A group is used to define a set of users or other Directory objects (e.g. printers). The objects listed in the group are called ‘members’ of the group. Groups are often used to assign its members access rights to systems and applications or to create email distribution lists.
- Identity – When the Identity Management system receives data for a new user, it creates an object (aka record) for that user in the Identity Store; that record is called an Identity.
- Identity Store – A meta-repository that stores identity data from authoritative sources and synchronizes that data between one or more directory services and/or databases. It is a core component of any identity management solution and acts as the Hub for Identity Data.
- LDAP – Acronym for Lightweight Directory Access Protocol, which is a network protocol used to access a hierarchical directory of information on a directory server.
- Object Class – An object class is a named container for attributes and each class must have a unique name. The three most common Object Classes are: Computers, Groups, and Users. The ‘User’ object class defines the collection of attributes for users; such as: first name, last name, UserID, manager, location, cost center, hire date, job position, etc.
- Reverse Proxy is an Access Control solution providing user authentication, web single sign-on, and coarse grained authorization via centralized Policy (Rules & Enforcement).
- Role – A role is a logical construct that allows the assignment of a set of entitlements to a user based on the user’s relationship to the organization. Roles are used to manage access to resources, create endpoint user accounts, and assign group membership for application access.
- Service Directory – A service directory subscribes to a subset of data published by the Identity Store to provide a service or set of services to users. For example, most organizations use Active Directory as a service directory to provide Authentication and File & Print services to users. This layer provides identity information to all end users seeking services from the solution.
- Schema – Defines the structure of the Directory and the set of rules that govern the kinds of information that the Directory can hold. There are a number of different types of elements that may comprise an LDAP schema. Every LDAP schema must include the following elements:
- Attribute syntax, which defines the types of data that can be represented
- Matching rules that define the kinds of comparisons that can be performed against LDAP data.
- Attribute types that define what information that may be stored.
- Object classes to define sets of attribute types that may be used for each object (e.g. user, computer, group), and which of those attribute types are required which are optional.
- Virtual Directory – A hierarchical directory services virtualization platform used to manage user objects, groups, and other related objects.
- XML – Acronym for eXtensible Markup Language, which specifies the definition, transmission, validation, and interpretation of data between directories, applications, and other systems. Connectors between the Identity Store, Service Directories, and connected Endpoints use the XML format to transmit data.
If you enjoyed this post, please share with your network and follow us on Twitter for IAM insights and best practices.